SB-138 Confidentiality of medical information.(2013-2014)

Bill Start

An act to amend Sections 56.05, 56.104, 56.16, 1786.2, and 1798.91 of, and to add Section 56.107 to, the Civil Code, to amend Section 4053 of the Financial Code, to amend Sections 1280.15, 1627, 117705,117928, 120985, 121010, and 130201 of, and to add Section 1348.5 to, the Health and Safety Code, to amend Section 791.02 of, and to add Section 791.29 to, the Insurance Code, and to amend Sections 3208.05, 3762, and 5406.6 of the Labor Code, relating to medical information.

[
Approved by
Governor
October 01, 2013.
Filed with
Secretary of State
October 01, 2013.
]

LEGISLATIVE COUNSEL'S DIGEST

SB 138, Hernandez.
Confidentiality of medical information.

Existing federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), establishes certain requirements relating to the provision of health insurance, and the protection of privacy of individually identifiable health information.

Existing law, the Knox-Keene Health Care Service Plan Act of 1975, provides for the licensure and regulation of health care service plans by the Department of Managed Health Care and makes a willful violation of its provisions a crime. Existing law also provides for the regulation of health insurers by the Department of Insurance.

Existing law, the Confidentiality of Medical Information Act, provides that medical information, as defined, may not be disclosed by providers of health care, health care service plans, or contractors, as defined, without the
patient’s written authorization, subject to certain exceptions, including disclosure to a probate court investigator, as specified. A violation of the act resulting in economic loss or personal injury to a patient is a misdemeanor and subjects the violating party to liability for specified damages and administrative fines and penalties. The act defines various terms relevant to its implementation.

This bill would declare the intent of the Legislature to incorporate HIPAA standards into state law and to clarify standards for protecting the confidentiality of medical information in insurance transactions. The bill would define additional terms in connection with maintaining the confidentiality of this information, including a
“confidential communications request” which an insured, or a subscriber or enrollee under a health care service plan, may submit for the purpose of specifying the method for transmitting medical information communications.

This bill would specify the manner in which a health care service plan or health insurer, on and after January 1, 2015, would be required to maintain confidentiality of medical information regarding the treatment of an insured, subscriber, or enrollee, including requiring a health care service plan or health insurer to accommodate requests by insureds, subscribers, and enrollees to receive requests for confidential communication of medical information in situations involving sensitive services or situations in which disclosure would endanger the individual.

This bill would specifically authorize a provider of health care to communicate information regarding benefit cost-sharing arrangements to the health
care service plan or health insurer, as specified.

This bill would also prohibit the health care service plan or health insurer from conditioning enrollment in the plan or eligibility for benefits on the waiver of certain rights provided for in the bill. The bill also would make conforming technical changes. Because a willful violation of these provisions by a health care service plan would be a crime, and because this bill would expand the scope of a crime, the bill would create a state-mandated local program.

The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.

This bill would provide that no reimbursement is required by this act for a specified reason.

Digest Key

Bill Text

The people of the State of California do enact as follows:

SECTION 1.

The Legislature finds and declares all of the following:

(a) Privacy is a fundamental right of all Californians, protected by the California Constitution, the federal Health Insurance Portability and Accountability Act (HIPAA; Public Law 104-191), and the Confidentiality of Medical Information Act, Part 2.6 (commencing with Section 56) of Division 1 of the Civil Code.

(b) Implementation of the recently enacted federal Patient Protection and Affordable Care Act (Public Law 111-148) will expand the number of individuals insured as dependents on a health insurance policy held in another person’s name, including adult children under
26 years of age insured on a parent’s insurance policy.

(c) HIPAA explicitly protects the confidentiality of medical care obtained by dependents insured under a health insurance policy held by another person.

(d) Therefore, it is the intent of the Legislature in enacting this act to incorporate HIPAA standards into state law and to clarify the standards for protecting the confidentiality of medical information in insurance transactions.

SEC. 2.

Section 56.05 of the Civil Code is amended to read:

56.05.

For purposes of this part:

(a) “Authorization” means permission granted in accordance with Section 56.11 or 56.21 for the disclosure of medical information.

(b) “Authorized recipient” means any person who is authorized to receive medical information pursuant to Section 56.10 or 56.20.

(c) “Confidential communications request” means a request by a subscriber or enrollee that health care service plan communications containing medical information be communicated to him or her at a specific mail or email address or specific telephone number, as designated by the subscriber or
enrollee.

(d) “Contractor” means any person or entity that is a medical group, independent practice association, pharmaceutical benefits manager, or a medical service organization and is not a health care service plan or provider of health care. “Contractor” does not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code or pharmaceutical benefits managers licensed pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code).

(e) “Endanger” means that the subscriber or enrollee fears that disclosure of his or her medical information could subject the subscriber or enrollee to harassment or abuse.

(f) “Enrollee” has the same meaning as that term is defined in Section 1345 of the
Health and Safety Code.

(g) “Health care service plan” means any entity regulated pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code).

(h) “Licensed health care professional” means any person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code, the Osteopathic Initiative Act or the Chiropractic Initiative Act, or Division 2.5 (commencing with Section 1797) of the Health and Safety Code.

(i) “Marketing” means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.

“Marketing” does not include any of the following:

(1) Communications made orally or in writing for which the communicator does not receive direct or indirect remuneration, including, but not limited to, gifts, fees, payments, subsidies, or other economic benefits, from a third party for making the communication.

(2) Communications made to current enrollees solely for the purpose of describing a provider’s participation in an existing health care provider network or health plan network of a Knox-Keene licensed health plan to which the enrollees already subscribe; communications made to current enrollees solely for the purpose of describing if, and the extent to which, a product or service, or payment for a product or service, is provided by a provider, contractor, or plan or included in a plan of benefits of a Knox-Keene licensed health plan to which the enrollees already subscribe; or communications made to plan enrollees describing
the availability of more cost-effective pharmaceuticals.

(3) Communications that are tailored to the circumstances of a particular individual to educate or advise the individual about treatment options, and otherwise maintain the individual’s adherence to a prescribed course of medical treatment, as provided in Section 1399.901 of the Health and Safety Code, for a chronic and seriously debilitating or life-threatening condition as defined in subdivisions (d) and (e) of Section 1367.21 of the Health and Safety Code, if the health care provider, contractor, or health plan receives direct or indirect remuneration, including, but not limited to, gifts, fees, payments, subsidies, or other economic benefits, from a third party for making the communication, if all of the following apply:

(A) The individual receiving the communication is notified in the communication in typeface no
smaller than 14-point type of the fact that the provider, contractor, or health plan has been remunerated and the source of the remuneration.

(B) The individual is provided the opportunity to opt out of receiving future remunerated communications.

(C) The communication contains instructions in typeface no smaller than 14-point type describing how the individual can opt out of receiving further communications by calling a toll-free number of the health care provider, contractor, or health plan making the remunerated communications. No further communication may be made to an individual who has opted out after 30 calendar days from the date the individual makes the opt out request.

(j) “Medical information” means any individually identifiable information, in electronic or physical form, in possession of or derived from
a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment. “Individually identifiable” means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual’s identity.

(k) “Patient” means any natural person, whether or not still living, who received health care services from a provider of health care and to whom medical information pertains.

(l) “Pharmaceutical company” means any company or business, or an agent or representative thereof, that
manufactures, sells, or distributes pharmaceuticals, medications, or prescription drugs. “Pharmaceutical company” does not include a pharmaceutical benefits manager, as included in subdivision (c), or a provider of health care.

(m) “Provider of health care” means any person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code; any person licensed pursuant to the Osteopathic Initiative Act or the Chiropractic Initiative Act; any person certified pursuant to Division 2.5 (commencing with Section 1797) of the Health and Safety Code; any clinic, health dispensary, or health facility licensed pursuant to Division 2 (commencing with Section 1200) of the Health and Safety Code. “Provider of health care” does not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code.

(n) “Sensitive
services” means all health care services described in Sections 6924, 6925, 6926, 6927, 6928, and 6929 of the Family Code, and Sections 121020 and 124260 of the Health and Safety Code, obtained by a patient at or above the minimum age specified for consenting to the service specified in the section.

(o) “Subscriber” has the same meaning as that term is defined in Section 1345 of the Health and Safety Code.

SEC. 3.

Section 56.104 of the Civil Code is amended to read:

56.104.

(a) Notwithstanding subdivision (c) of Section 56.10, except as provided in subdivision (e), no provider of health care, health care service plan, or contractor may release medical information to persons or entities who have requested that information and who are authorized by law to receive that information pursuant to subdivision (c) of Section 56.10, if the requested information specifically relates to the patient’s participation in outpatient treatment with a psychotherapist, unless the person or entity requesting that information submits to the patient pursuant to subdivision (b) and to the provider of health care, health care service plan, or contractor a written request, signed by the person requesting the information or an authorized agent of the entity requesting the
information, that includes all of the following:

(1) The specific information relating to a patient’s participation in outpatient treatment with a psychotherapist being requested and its specific intended use or uses.

(2) The length of time during which the information will be kept before being destroyed or disposed of. A person or entity may extend that timeframe, provided that the person or entity notifies the provider, plan, or contractor of the extension. Any notification of an extension shall include the specific reason for the extension, the intended use or uses of the information during the extended time, and the expected date of the destruction of the information.

(3) A statement that the information will not be used for any purpose other than its intended use.

(4) A statement that the person or entity requesting the information will destroy the information and all copies in the person’s or entity’s possession or control, will cause it to be destroyed, or will return the information and all copies of it before or immediately after the length of time specified in paragraph (2) has expired.

(b) The person or entity requesting the information shall submit a copy of the written request required by this section to the patient within 30 days of receipt of the information requested, unless the patient has signed a written waiver in the form of a letter signed and submitted by the patient to the provider of health care or health care service plan waiving notification.

(c) For purposes of this section, “psychotherapist” means a person who is both a “psychotherapist” as defined in Section
1010 of the Evidence Code and a “provider of health care” as defined in Section 56.05.

(d) This section does not apply to the disclosure or use of medical information by a law enforcement agency or a regulatory agency when required for an investigation of unlawful activity or for licensing, certification, or regulatory purposes, unless the disclosure is otherwise prohibited by law.

(e) This section shall not apply to any of the following:

(1) Information authorized to be disclosed pursuant to paragraph (1) of subdivision (c) of Section 56.10.

(2) Information requested from a psychotherapist by law enforcement or by the target of the threat subsequent to a disclosure by that psychotherapist authorized by paragraph (19) of subdivision (c) of Section
56.10, in which the additional information is clearly necessary to prevent the serious and imminent threat disclosed under that paragraph.

(3) Information disclosed by a psychotherapist pursuant to paragraphs (14) and (22) of subdivision (c) of Section 56.10 and requested by an agency investigating the abuse reported pursuant to those paragraphs.

(f) Nothing in this section shall be construed to grant any additional authority to a provider of health care, health care service plan, or contractor to disclose information to a person or entity without the patient’s consent.

SEC. 4.

Section 56.107 is added to the Civil Code, to read:

56.107.

(a) Notwithstanding any other law, and to the extent permitted by federal law, a health care service plan shall take the following steps to protect the confidentiality of a subscriber’s or enrollee’s medical information on and after January 1, 2015:

(1) A health care service plan shall permit subscribers and enrollees to request, and shall accommodate requests for, communication in the form and format requested by the individual, if it is readily producible in the requested form and format, or at alternative locations, if the subscriber or enrollee clearly states either that the communication discloses medical information or provider name and address relating to receipt of sensitive services or that
disclosure of all or part of the medical information or provider name and address could endanger the subscriber or enrollee.

(2) A health care service plan may require the subscriber or enrollee to make a request for a confidential communication described in paragraph (1), in writing or by electronic transmission.

(3) A health care service plan may require that a confidential communications request contain a statement that the request pertains to either medical information related to the receipt of sensitive services or that disclosure of all or part of the medical information could endanger the subscriber or enrollee. The health care service plan shall not require an explanation as to the basis for a subscriber’s or enrollee’s statement that disclosure could endanger the subscriber or enrollee.

(4) The confidential
communication request shall be valid until the subscriber or enrollee submits a revocation of the request or a new confidential communication request is submitted.

(5) For the purposes of this section, a confidential communications request shall be implemented by the health care service plan within seven calendar days of receipt of an electronic transmission or telephonic request or within 14 calendar days of receipt by first-class mail. The health care service plan shall acknowledge receipt of the confidential communications request and advise the subscriber or enrollee of the status of implementation of the request if a subscriber or enrollee contacts the health care service plan.

(b) Notwithstanding subdivision (a), the provider of health care may make arrangements with the subscriber or enrollee for the payment of benefit cost sharing and communicate that arrangement with the
health care service plan.

(c) A health care service plan shall not condition enrollment or coverage on the waiver of rights provided in this section.

SEC. 5.

Section 56.16 of the Civil Code is amended to read:

56.16.

For disclosures not addressed by Section 56.1007, unless there is a specific written request by the patient to the contrary, nothing in this part shall be construed to prevent a general acute care hospital, as defined in subdivision (a) of Section 1250 of the Health and Safety Code, upon an inquiry concerning a specific patient, from releasing at its discretion any of the following information: the patient’s name, address, age, and sex; a general description of the reason for treatment (whether an injury, a burn, poisoning, or some unrelated condition); the general nature of the injury, burn, poisoning, or other condition; the general condition of the patient; and any information that is not medical information as defined in Section
56.05.

SEC. 6.

Section 1786.2 of the Civil Code is amended to read:

1786.2.

The following terms as used in this title have the meaning expressed in this section:

(a) The term “person” means any individual, partnership, corporation, limited liability company, trust, estate, cooperative, association, government or governmental subdivision or agency, or other entity. The term “person” as used in this title shall not be construed to require duplicative reporting by any individual, corporation, trust, estate, cooperative, association, government, or governmental subdivision or agency, or other entity involved in the same transaction.

(b) The term “consumer” means a natural individual who has made application to a person
for employment purposes, for insurance for personal, family, or household purposes, or the hiring of a dwelling unit, as defined in subdivision (c) of Section 1940.

(c) The term “investigative consumer report” means a consumer report in which information on a consumer’s character, general reputation, personal characteristics, or mode of living is obtained through any means. The term does not include a consumer report or other compilation of information that is limited to specific factual information relating to a consumer’s credit record or manner of obtaining credit obtained directly from a creditor of the consumer or from a consumer reporting agency when that information was obtained directly from a potential or existing creditor of the consumer or from the consumer. Notwithstanding the foregoing, for transactions between investigative consumer reporting agencies and insurance institutions, agents, or insurance-support organizations subject
to Article 6.6 (commencing with Section 791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code, the term “investigative consumer report” shall have the meaning set forth in Section 791.02 of the Insurance Code.

(d) The term “investigative consumer reporting agency” means any person who, for monetary fees or dues, engages in whole or in part in the practice of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring, or communicating information concerning consumers for the purposes of furnishing investigative consumer reports to third parties, but does not include any governmental agency whose records are maintained primarily for traffic safety, law enforcement, or licensing purposes, or any licensed insurance agent, insurance broker, or solicitor, insurer, or life insurance agent.

(e) The term “file,” when used in connection with information
on any consumer, means all of the information on that consumer recorded and retained by an investigative consumer reporting agency regardless of how the information is stored.

(f) The term “employment purposes,” when used in connection with an investigative consumer report, means a report used for the purpose of evaluating a consumer for employment, promotion, reassignment, or retention as an employee.

(g) The term “medical information” means information on a person’s medical history or condition obtained directly or indirectly from a licensed physician, medical practitioner, hospital, clinic, or other medical or medically related facility.

SEC. 7.

Section 1798.91 of the Civil Code is amended to read:

1798.91.

(a) For purposes of this title, the following definitions shall apply:

(1) “Direct marketing purposes” means the use of personal information for marketing or advertising products, goods, or services directly to individuals. “Direct marketing purposes” does not include the use of personal information (A) by bona fide tax exempt charitable or religious organizations to solicit charitable contributions or (B) to raise funds from and communicate with individuals regarding politics and government.

(2) “Medical information” means any individually identifiable information, in electronic or physical form, regarding the
individual’s medical history, or medical treatment or diagnosis by a health care professional. “Individually identifiable” means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the individual’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual’s identity. For purposes of this section, “medical information” does not mean a subscription to, purchase of, or request for a periodical, book, pamphlet, video, audio, or other multimedia product or nonprofit association information.

(3) “Clear and conspicuous” means in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by
symbols or other marks that call attention to the language.

(4) For purposes of this section, the collection of medical information online constitutes “in writing.” For purposes of this section, “written consent” includes consent obtained online.

(b) A business may not orally request medical information directly from an individual regardless of whether the information pertains to the individual or not, and use, share, or otherwise disclose that information for direct marketing purposes, without doing both of the following prior to obtaining that information:

(1) Orally disclosing to the individual in the same conversation during which the business seeks to obtain the information, that it is obtaining the information to market or advertise products, goods, or services to the individual.

(2) Obtaining the consent of either the individual to whom the information pertains or a person legally authorized to consent for the individual, to permit his or her medical information to be used or shared to market or advertise products, goods, or services to the individual, and making and maintaining for two years after the date of the conversation, an audio recording of the entire conversation.

(c) A business may not request in writing medical information directly from an individual regardless of whether the information pertains to the individual or not, and use, share, or otherwise disclose that information for direct marketing purposes, without doing both of the following prior to obtaining that information:

(1) Disclosing in a clear and conspicuous manner that it is obtaining the information to market or
advertise products, goods, or services to the individual.

(2) Obtaining the written consent of either the individual to whom the information pertains or a person legally authorized to consent for the individual, to permit his or her medical information to be used or shared to market or advertise products, goods, or services to the individual.

(d) This section does not apply to a provider of health care, health care service plan, or contractor, as defined in Section 56.05.

(e) This section shall not apply to an insurance institution, agent, or support organization, as defined in Section 791.02 of the Insurance Code, when engaged in an insurance transaction, as defined in Section 791.02 of the Insurance Code, pursuant to all the requirements of Article 6.6 (commencing with Section 791) of Chapter 1 of Part 2 of
Division 1 of the Insurance Code, and the regulations promulgated thereunder.

(f) This section does not apply to a telephone corporation, as defined in Section 234 of the Public Utilities Code, when that corporation is engaged in providing telephone services and products pursuant to Sections 2881, 2881.1, and 2881.2 of the Public Utilities Code, if the corporation does not share or disclose medical information obtained as a consequence of complying with those sections of the Public Utilities Code, to third parties for direct marketing purposes.

SEC. 8.

Section 4053 of the Financial Code is amended to read:

4053.

(a) (1) A financial institution shall not disclose to, or share a consumer’s nonpublic personal information with, any nonaffiliated third party as prohibited by Section 4052.5, unless the financial institution has obtained a consent acknowledgment from the consumer that complies with paragraph (2) that authorizes the financial institution to disclose or share the nonpublic personal information. Nothing in this section shall prohibit or otherwise apply to the disclosure of nonpublic personal information as allowed in Section 4056. A financial institution shall not discriminate against or deny an otherwise qualified consumer a financial product or a financial service because the consumer has not provided consent pursuant to this
subdivision and Section 4052.5 to authorize the financial institution to disclose or share nonpublic personal information pertaining to him or her with any nonaffiliated third party. Nothing in this section shall prohibit a financial institution from denying a consumer a financial product or service if the financial institution could not provide the product or service to a consumer without the consent to disclose the consumer’s nonpublic personal information required by this subdivision and Section 4052.5, and the consumer has failed to provide consent. A financial institution shall not be liable for failing to offer products and services to a consumer solely because that consumer has failed to provide consent pursuant to this subdivision and Section 4052.5 and the financial institution could not offer the product or service without the consent to disclose the consumer’s nonpublic personal information required by this subdivision and Section 4052.5, and the consumer has failed to provide consent. Nothing in
this section is intended to prohibit a financial institution from offering incentives or discounts to elicit a specific response to the notice.

(2) A financial institution shall utilize a form, statement, or writing to obtain consent to disclose nonpublic personal information to nonaffiliated third parties as required by Section 4052.5 and this subdivision. The form, statement, or writing shall meet all of the following criteria:

(A) The form, statement, or writing is a separate document, not attached to any other document.

(B) The form, statement, or writing is dated and signed by the consumer.

(C) The form, statement, or writing clearly and conspicuously discloses that by signing, the consumer is consenting to the disclosure to nonaffiliated third
parties of nonpublic personal information pertaining to the consumer.

(D) The form, statement, or writing clearly and conspicuously discloses (i) that the consent will remain in effect until revoked or modified by the consumer; (ii) that the consumer may revoke the consent at any time; and (iii) the procedure for the consumer to revoke consent.

(E) The form, statement, or writing clearly and conspicuously informs the consumer that (i) the financial institution will maintain the document or a true and correct copy; (ii) the consumer is entitled to a copy of the document upon request; and (iii) the consumer may want to make a copy of the document for the consumer’s records.

(b) (1) A financial institution shall not disclose to, or share a consumer’s nonpublic personal information with, an
affiliate unless the financial institution has clearly and conspicuously notified the consumer annually in writing pursuant to subdivision (d) that the nonpublic personal information may be disclosed to an affiliate of the financial institution and the consumer has not directed that the nonpublic personal information not be disclosed. A financial institution does not disclose information to, or share information with, its affiliate merely because information is maintained in common information systems or databases, and employees of the financial institution and its affiliate have access to those common information systems or databases, or a consumer accesses a Web site jointly operated or maintained under a common name by or on behalf of the financial institution and its affiliate, provided that where a consumer has exercised his or her right to prohibit disclosure pursuant to this division, nonpublic personal information is not further disclosed or used by an affiliate except as permitted by this
division.

(2) Subdivision (a) shall not prohibit the release of nonpublic personal information by a financial institution with whom the consumer has a relationship to a nonaffiliated financial institution for purposes of jointly offering a financial product or financial service pursuant to a written agreement with the financial institution that receives the nonpublic personal information provided that all of the following requirements are met:

(A) The financial product or service offered is a product or service of, and is provided by, at least one of the financial institutions that is a party to the written agreement.

(B) The financial product or service is jointly offered, endorsed, or sponsored, and clearly and conspicuously identifies for the consumer the financial institutions that disclose and receive the
disclosed nonpublic personal information.

(C) The written agreement provides that the financial institution that receives that nonpublic personal information is required to maintain the confidentiality of the information and is prohibited from disclosing or using the information other than to carry out the joint offering or servicing of a financial product or financial service that is the subject of the written agreement.

(D) The financial institution that releases the nonpublic personal information has complied with subdivision (d) and the consumer has not directed that the nonpublic personal information not be disclosed.

(E) Notwithstanding this section, until January 1, 2005, a financial institution may disclose nonpublic personal information to a nonaffiliated financial institution pursuant to a preexisting
contract with the nonaffiliated financial institution, for purposes of offering a financial product or financial service, if that contract was entered into on or before January 1, 2004. Beginning on January 1, 2005, no nonpublic personal information may be disclosed pursuant to that contract unless all the requirements of this subdivision are met.

(3) Nothing in this subdivision shall prohibit a financial institution from disclosing or sharing nonpublic personal information as otherwise specifically permitted by this division.

(4) A financial institution shall not discriminate against or deny an otherwise qualified consumer a financial product or a financial service because the consumer has directed pursuant to this subdivision that nonpublic personal information pertaining to him or her not be disclosed. A financial institution shall not be required to offer or provide products
or services offered through affiliated entities or jointly with nonaffiliated financial institutions pursuant to paragraph (2) where the consumer has directed that nonpublic personal information not be disclosed pursuant to this subdivision and the financial institution could not offer or provide the products or services to the consumer without disclosure of the consumer’s nonpublic personal information that the consumer has directed not be disclosed pursuant to this subdivision. A financial institution shall not be liable for failing to offer or provide products or services offered through affiliated entities or jointly with nonaffiliated financial institutions pursuant to paragraph (2) solely because the consumer has directed that nonpublic personal information not be disclosed pursuant to this subdivision and the financial institution could not offer or provide the products or services to the consumer without disclosure of the consumer’s nonpublic personal information that the consumer has directed not be
disclosed to affiliates pursuant to this subdivision. Nothing in this section is intended to prohibit a financial institution from offering incentives or discounts to elicit a specific response to the notice set forth in this division. Nothing in this section shall prohibit the disclosure of nonpublic personal information allowed by Section 4056.

(5) The financial institution may, at its option, choose instead to comply with the requirements of subdivision (a).

(c) Nothing in this division shall restrict or prohibit the sharing of nonpublic personal information between a financial institution and its wholly owned financial institution subsidiaries; among financial institutions that are each wholly owned by the same financial institution; among financial institutions that are wholly owned by the same holding company; or among the insurance and management entities of a single
insurance holding company system consisting of one or more reciprocal insurance exchanges which has a single corporation or its wholly owned subsidiaries providing management services to the reciprocal insurance exchanges, provided that in each case all of the following requirements are met:

(1) The financial institution disclosing the nonpublic personal information and the financial institution receiving it are regulated by the same functional regulator; provided, however, that for purposes of this subdivision, financial institutions regulated by the Office of the Comptroller of the Currency, Office of Thrift Supervision, National Credit Union Administration, or a state regulator of depository institutions shall be deemed to be regulated by the same functional regulator; financial institutions regulated by the Securities and Exchange Commission, the United States Department of Labor, or a state securities regulator shall be deemed to be
regulated by the same functional regulator; and insurers admitted in this state to transact insurance and licensed to write insurance policies shall be deemed to be in compliance with this paragraph.

(2) The financial institution disclosing the nonpublic personal information and the financial institution receiving it are both principally engaged in the same line of business. For purposes of this subdivision, “same line of business” shall be one and only one of the following:

(A) Insurance.

(B) Banking.

(C) Securities.

(3) The financial institution disclosing the nonpublic personal information and the financial institution receiving it share a common brand, excluding a brand consisting
solely of a graphic element or symbol, within their trademark, service mark, or trade name, which is used to identify the source of the products and services provided.

A wholly owned subsidiary shall include a subsidiary wholly owned directly or wholly owned indirectly in a chain of wholly owned subsidiaries.

Nothing in this subdivision shall permit the disclosure by a financial institution of medical record information, as defined in Section 791.02 of the Insurance Code, except in compliance with the requirements of this division, including the requirements set forth in subdivisions (a) and (b).

(d) (1) A financial institution shall be conclusively presumed to have satisfied the notice requirements of subdivision (b) if it uses the form set forth in this subdivision. The form set forth in this subdivision or a form that complies with
subparagraphs (A) to (L), inclusive, of this paragraph shall be sent by the financial institution to the consumer so that the consumer may make a decision and provide direction to the financial institution regarding the sharing of his or her nonpublic personal information. If a financial institution does not use the form set forth in this subdivision, the financial institution shall use a form that meets all of the following requirements:

(A) The form uses the same title (“IMPORTANT PRIVACY CHOICES FOR CONSUMERS”) and the headers, if applicable, as follows: “Restrict Information Sharing With Companies We Own Or Control (Affiliates)” and “Restrict Information Sharing With Other Companies We Do Business With To Provide Financial Products And Services.”

(B) The titles and headers in the form are clearly and conspicuously displayed, and no text in the form is smaller than 10-point
type.

(C) The form is a separate document, except as provided by subparagraph (D) of paragraph (2), and Sections 4054 and 4058.7.

(D) The choice or choices pursuant to subdivision (b) and Section 4054.6, if applicable, provided in the form are stated separately and may be selected by checking a box.

(E) The form is designed to call attention to the nature and significance of the information in the document.

(F) The form presents information in clear and concise sentences, paragraphs, and sections.

(G) The form uses short explanatory sentences (an average of 15-20 words) or bullet lists whenever possible.

(I) The form avoids explanations that are imprecise and readily subject to different interpretations.

(J) The form achieves a minimum Flesch reading ease score of 50, as defined in Section 2689.4(a)(7) of Title 10 of the California Code of Regulations, in effect on March 24, 2003, except that the information in the form included to comply with subparagraph (A) shall not be included in the calculation of the Flesch reading ease score, and the information used to describe the choice or choices pursuant to subparagraph (D) shall score no lower than the information describing the comparable choice or choices set forth in the form in this subdivision.

(K) The form provides wide margins, ample line
spacing and uses boldface or italics for key words.

(L) The form is not more than one page.

(2) (A) None of the instructional items appearing in brackets in the form set forth in this subdivision shall appear in the form provided to the consumer, as those items are for explanation purposes only. If a financial institution does not disclose or share nonpublic personal information as described in a header of the form, the financial institution may omit the applicable header or headers, and the accompanying information and box, in the form it provides pursuant to this subdivision. The form with those omissions shall be conclusively presumed to satisfy the notice requirements of this subdivision.

PRINTER PLEASE NOTE: TIP-IN MATERIAL TO BE INSERTED

(B) If a
financial institution uses a form other than that set forth in this subdivision, the financial institution may submit that form to its functional regulator for approval, and for forms filed with the Office of Privacy Protection prior to July 1, 2007, that approval shall constitute a rebuttable presumption that the form complies with this section.

(C) A financial institution shall not be in violation of this subdivision solely because it includes in the form one or more brief examples or explanations of the purpose or purposes, or context, within which information will be shared, as long as those examples meet the clarity and readability standards set forth in paragraph (1).

(D) The outside of the envelope in which the form is sent to the consumer shall clearly state in 16-point boldface type “IMPORTANT PRIVACY CHOICES,” except that a financial institution sending the form to a
consumer in the same envelope as a bill, account statement, or application requested by the consumer does not have to include the wording “IMPORTANT PRIVACY CHOICES” on that envelope. The form shall be sent in any of the following ways:

(i) With a bill, other statement of account, or application requested by the consumer, in which case the information required by Title V of the Gramm-Leach-Bliley Act may also be included in the same envelope.

(ii) As a separate notice or with the information required by Title V of the Gramm-Leach-Bliley Act, and including only information related to privacy.

(iii) With any other mailing, in which case it shall be the first page of the mailing.

(E) If a financial institution uses a form other than that set forth in this
subdivision, that form shall be filed with the Office of Privacy Protection within 30 days after it is first used.

(3) The consumer shall be provided a reasonable opportunity prior to disclosure of nonpublic personal information to direct that nonpublic personal information not be disclosed. A consumer may direct at any time that his or her nonpublic personal information not be disclosed. A financial institution shall comply with a consumer’s directions concerning the sharing of his or her nonpublic personal information within 45 days of receipt by the financial institution. When a consumer directs that nonpublic personal information not be disclosed, that direction is in effect until otherwise stated by the consumer. A financial institution that has not provided a consumer with annual notice pursuant to subdivision (b) shall provide the consumer with a form that meets the requirements of this subdivision, and shall allow 45 days to lapse from
the date of providing the form in person or the postmark or other postal verification of mailing before disclosing nonpublic personal information pertaining to the consumer.

Nothing in this subdivision shall prohibit the disclosure of nonpublic personal information as allowed by subdivision (c) or Section 4056.

(4) A financial institution may elect to comply with the requirements of subdivision (a) with respect to disclosure of nonpublic personal information to an affiliate or with respect to nonpublic personal information disclosed pursuant to paragraph (2) of subdivision (b), or subdivision (c) of Section 4054.6.

(5) If a financial institution does not have a continuing relationship with a consumer other than the initial transaction in which the product or service is provided, no annual disclosure requirement exists pursuant to this
section as long as the financial institution provides the consumer with the form required by this section at the time of the initial transaction. As used in this section, “annually” means at least once in any period of 12 consecutive months during which that relationship exists. The financial institution may define the 12-consecutive-month period, but shall apply it to the consumer on a consistent basis. If, for example, a financial institution defines the 12-consecutive-month period as a calendar year and provides the annual notice to the consumer once in each calendar year, it complies with the requirement to send the notice annually.

(6) A financial institution with assets in excess of twenty-five million dollars ($25,000,000) shall include a self-addressed first class business reply return envelope with the notice. A financial institution with assets of up to and including twenty-five million dollars ($25,000,000) shall include a
self-addressed return envelope with the notice. In lieu of the first class business reply return envelope required by this paragraph, a financial institution may offer a self-addressed return envelope with the notice and at least two alternative cost-free means for consumers to communicate their privacy choices, such as calling a toll-free number, sending a facsimile to a toll-free telephone number, or using electronic means. A financial institution shall clearly and conspicuously disclose in the form required by this subdivision the information necessary to direct the consumer on how to communicate his or her choices, including the toll-free or facsimile number or Web site address that may be used, if those means of communication are offered by the financial institution.

(7) A financial institution may provide a joint notice from it and one or more of its affiliates or other financial institutions, as identified in the notice, so long as the
notice is accurate with respect to the financial institution and the affiliates and other financial institutions.

(e) Nothing in this division shall prohibit a financial institution from marketing its own products and services or the products and services of affiliates or nonaffiliated third parties to customers of the financial institution as long as (1) nonpublic personal information is not disclosed in connection with the delivery of the applicable marketing materials to those customers except as permitted by Section 4056 and (2) in cases in which the applicable nonaffiliated third party may extrapolate nonpublic personal information about the consumer responding to those marketing materials, the applicable nonaffiliated third party has signed a contract with the financial institution under the terms of which (A) the nonaffiliated third party is prohibited from using that information for any purpose other than the purpose for which it was
provided, as set forth in the contract, and (B) the financial institution has the right by audit, inspections, or other means to verify the nonaffiliated third party’s compliance with that contract.

SEC. 9.

Section 1280.15 of the Health and Safety Code is amended to read:

1280.15.

(a) A clinic, health facility, home health agency, or hospice licensed pursuant to Section 1204, 1250, 1725, or 1745 shall prevent unlawful or unauthorized access to, and use or disclosure of, patients’ medical information, as defined in Section 56.05 of the Civil Code and consistent with Section 130203. For purposes of this section, internal paper records, electronic mail, or facsimile transmissions inadvertently misdirected within the same facility or health care system within the course of coordinating care or delivering services shall not constitute unauthorized access to, or use or disclosure of, a patient’s medical information. The department, after investigation, may assess an administrative penalty for a violation of this section of up to twenty-five thousand dollars ($25,000)
per patient whose medical information was unlawfully or without authorization accessed, used, or disclosed, and up to seventeen thousand five hundred dollars ($17,500) per subsequent occurrence of unlawful or unauthorized access, use, or disclosure of that patient’s medical information. For purposes of the investigation, the department shall consider the clinic’s, health facility’s, agency’s, or hospice’s history of compliance with this section and other related state and federal statutes and regulations, the extent to which the facility detected violations and took preventative action to immediately correct and prevent past violations from recurring, and factors outside its control that restricted the facility’s ability to comply with this section. The department shall have full discretion to consider all factors when determining the amount of an administrative penalty pursuant to this section.

(b) (1) A clinic, health
facility, home health agency, or hospice to which subdivision (a) applies shall report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the department no later than five business days after the unlawful or unauthorized access, use, or disclosure has been detected by the clinic, health facility, home health agency, or hospice.

(2) Subject to subdivision (c), a clinic, health facility, home health agency, or hospice shall also report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the affected patient or the patient’s representative at the last known address, no later than five business days after the unlawful or unauthorized access, use, or disclosure has been detected by the clinic, health facility, home health agency, or hospice.

(c) (1) A clinic, health
facility, home health agency, or hospice shall delay the reporting, as required pursuant to paragraph (2) of subdivision (b), of any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information beyond five business days if a law enforcement agency or official provides the clinic, health facility, home health agency, or hospice with a written or oral statement that compliance with the reporting requirements of paragraph (2) of subdivision (b) would likely impede the law enforcement agency’s investigation that relates to the unlawful or unauthorized access to, and use or disclosure of, a patient’s medical information and specifies a date upon which the delay shall end, not to exceed 60 days after a written request is made, or 30 days after an oral request is made. A law enforcement agency or official may request an extension of a delay based upon a written declaration that there exists a bona fide, ongoing, significant criminal investigation of serious wrongdoing relating to the
unlawful or unauthorized access to, and use or disclosure of, a patient’s medical information, that notification of patients will undermine the law enforcement agency’s investigation, and that specifies a date upon which the delay shall end, not to exceed 60 days after the end of the original delay period.

(2) If the statement of the law enforcement agency or official is made orally, then the clinic, health facility, home health agency, or hospice shall do both of the following:

(A) Document the oral statement, including, but not limited to, the identity of the law enforcement agency or official making the oral statement and the date upon which the oral statement was made.

(B) Limit the delay in reporting the unlawful or unauthorized access to, or use or disclosure of, the patient’s medical information to the date
specified in the oral statement, not to exceed 30 calendar days from the date that the oral statement is made, unless a written statement that complies with the requirements of this subdivision is received during that time.

(3) A clinic, health facility, home health agency, or hospice shall submit a report that is delayed pursuant to this subdivision not later than five business days after the date designated as the end of the delay.

(d) If a clinic, health facility, home health agency, or hospice to which subdivision (a) applies violates subdivision (b), the department may assess the licensee a penalty in the amount of one hundred dollars ($100) for each day that the unlawful or unauthorized access, use, or disclosure is not reported to the department or the affected patient, following the initial five-day period specified in subdivision (b). However, the total combined penalty
assessed by the department under subdivision (a) and this subdivision shall not exceed two hundred fifty thousand dollars ($250,000) per reported event. For enforcement purposes, it shall be presumed that the facility did not notify the affected patient if the notification was not documented. This presumption may be rebutted by a licensee only if the licensee demonstrates, by a preponderance of the evidence, that the notification was made.

(e) In enforcing subdivisions (a) and (d), the department shall take into consideration the special circumstances of small and rural hospitals, as defined in Section 124840, and primary care clinics, as defined in subdivision (a) of Section 1204, in order to protect access to quality care in those hospitals and clinics. When assessing a penalty on a skilled nursing facility or other facility subject to Section 1423, 1424, 1424.1, or 1424.5, the department shall issue only the higher of either a penalty for
the violation of this section or a penalty for violation of Section 1423, 1424, 1424.1, or 1424.5, not both.

(f) All penalties collected by the department pursuant to this section, Sections 1280.1, 1280.3, and 1280.4, shall be deposited into the Internal Departmental Quality Improvement Account, which is hereby created within the Special Deposit Fund under Section 16370 of the Government Code. Upon appropriation by the Legislature, moneys in the account shall be expended for internal quality improvement activities in the Licensing and Certification Program.

(g) If the licensee disputes a determination by the department regarding a failure to prevent or failure to timely report unlawful or unauthorized access to, or use or disclosure of, patients’ medical information, or the imposition of a penalty under this section, the licensee may, within 10 days of receipt of the penalty
assessment, request a hearing pursuant to Section 131071. Penalties shall be paid when appeals have been exhausted and the penalty has been upheld.

(h) In lieu of disputing the determination of the department regarding a failure to prevent or failure to timely report unlawful or unauthorized access to, or use or disclosure of, patients’ medical information, transmit to the department 75 percent of the total amount of the administrative penalty, for each violation, within 30 business days of receipt of the administrative penalty.

(i) Notwithstanding any other law, the department may refer violations of this section to the Office of Health Information Integrity for enforcement pursuant to Section 130303.

(j) For purposes of this section, the following definitions shall apply:

(1) “Reported event” means all breaches included in any single report that is made pursuant to subdivision (b), regardless of the number of breach events contained in the report.

(2) “Unauthorized” means the inappropriate access, review, or viewing of patient medical information without a direct need for medical diagnosis, treatment, or other lawful use as permitted by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1 of the Civil Code) or any other statute or regulation governing the lawful access, use, or disclosure of medical information.

SEC. 10.

Section 1348.5 is added to the Health and Safety Code, to read:

1348.5.

A health care service plan shall comply with the provisions of Section 56.107 of the Civil Code to the extent required by that section. To the extent this chapter conflicts with Section 56.107 of the Civil Code, the provisions of Section 56.107 of the Civil Code shall control.

SEC. 11.

Section 1627 of the Health and Safety Code is amended to read:

1627.

(a) (1) On or before July 1, 2011, the University of California is requested to develop a plan to establish and administer the Umbilical Cord Blood Collection Program for the purpose of collecting units of umbilical cord blood for public use in transplantation and providing nonclinical units for research pertaining to biology and new clinical utilization of stem cells derived from the blood and tissue of the placenta and umbilical cord. The program shall conclude no later than January 1, 2018.

(2) For purposes of this article, “public use” means both of the following:

(A) The collection of umbilical cord blood units from genetically
diverse donors that will be owned by the University of California. This inventory shall be accessible by the National Registry and by qualified California-based and other United States and international registries and transplant centers to increase the likelihood of providing suitably matched donor cord blood units to patients or research participants who are in need of a transplant.

(B) Cord blood units with a lower number of cells than deemed necessary for clinical transplantation and units that meet clinical requirements, but for other reasons are unsuitable, unlikely to be transplanted, or otherwise unnecessary for clinical use, may be made available for research.

(b) (1) In order to implement the collection goals of this program, the University of California may, commensurate with available funds appropriated to the University of California for this
program, contract with one or more selected applicant entities that have demonstrated the competence to collect and ship cord blood units in compliance with federal guidelines and regulations.

(2) It is the intent of the Legislature that, if the University of California contracts with another entity pursuant to this subdivision, the following shall apply:

(A) The University of California may use a competitive process to identify the best proposals submitted by applicant entities to administer the collection and research objectives of the program, to the extent that the University of California chooses not to undertake these activities itself.

(B) In order to qualify for selection under this section to receive, process, cryopreserve, or bank cord blood units, the entity shall, at a minimum, have obtained an
investigational new drug (IND) exemption from the FDA or a biologic license from the FDA, as appropriate, to manufacture clinical grade cord blood stem cell units for clinical indications.

(C) In order to qualify to receive appropriate cord blood units and placental tissue to advance the research goals of this program, an entity shall, at a minimum, be a laboratory recognized as having performed peer-reviewed research on stem and progenitor cells, including those derived from placental or umbilical cord blood and postnatal tissue.

(3) A medical provider or research facility shall comply with, and shall be subject to, existing penalties for violations of all applicable state and federal laws with respect to the protection of any medical information, as defined in Section 56.05 of the Civil Code, and any personally identifiable information contained in the umbilical cord blood
inventory.

(c) The University of California is encouraged to make every effort to avoid duplication or conflicts with existing and ongoing programs and to leverage existing resources.

(d) (1) All information collected pursuant to the program shall be confidential, and shall be used solely for the purposes of the program, including research. Access to confidential information shall be limited to authorized persons who are bound by appropriate institutional policies or who otherwise agree, in writing, to maintain the confidentiality of that information.

(2) Any person who, in violation of applicable institutional policies or a written agreement to maintain confidentiality, discloses any information provided pursuant to this section, or who uses information provided pursuant to this section in a
manner other than as approved pursuant to this section, may be denied further access to any confidential information maintained by the University of California, and shall be subject to a civil penalty not exceeding one thousand dollars ($1,000). The penalty provided for in this section shall not be construed to limit or otherwise restrict any remedy, provisional or otherwise, provided by law for the benefit of the University of California or any other person covered by this section.

(3) Notwithstanding the restrictions of this section, an individual to whom the confidential information pertains shall have access to his or her own personal information.

(e) It is the intent of the Legislature that the plan and implementation of the program provide for both of the following:

(1) Limit fees for access to cord blood units
to the reasonable and actual costs of storage, handling, and providing units, as well as for related services such as donor matching and testing of cord blood and other programs and services typically provided by cord blood banks and public use programs.

(2) The submittal of the plan developed pursuant to subdivision (a) to the health and fiscal committees of the Legislature.

(f) It is additionally the intent of the Legislature that the plan and implementation of the program attempt to provide for all of the following:

(1) Development of a strategy to increase voluntary participation by hospitals in the collection and storage of umbilical cord blood and identify funding sources to offset the financial impact on hospitals.

(2) Consideration of a medical
contingency response program to prepare for and respond effectively to biological, chemical, or radiological attacks, accidents, and other public health emergencies where victims potentially benefit from treatment.

(3) Exploration of the feasibility of operating the program as a self-funding program, including the potential for charging users a reimbursement fee.

SEC. 12.

Section 117705 of the Health and Safety Code is amended to read:

117705.

“Medical waste generator” means any person whose act or process produces medical waste and includes, but is not limited to, a provider of health care, as defined in Section 56.05 of the Civil Code. All of the following are examples of businesses that generate medical waste:

SEC. 13.

Section 117928 of the Health and Safety Code is amended to read:

117928.

(a) Any common storage facility for the collection of medical waste produced by small quantity generators operating independently, but sharing common storage facilities, shall have a permit issued by the enforcement agency.

(b) A permit for any common storage facility specified in subdivision (a) may be obtained by any one of the following:

(1) A provider of health care as defined in Section 56.05 of the Civil Code.

SEC. 14.

Section 120985 of the Health and Safety Code is amended to read:

120985.

(a) Notwithstanding Section 120980, the results of an HIV test that identifies or provides identifying characteristics of the person to whom the test results apply may be recorded by the physician who ordered the test in the test subject’s medical record or otherwise disclosed without written authorization of the subject of the test, or the subject’s representative as set forth in Section 121020, to the test subject’s providers of health care, as defined in Section 56.05 of the Civil Code, for purposes of diagnosis, care, or treatment of the patient, except that for purposes of this section, “providers of health care” does not include a health care service plan regulated pursuant to Chapter 2.2 (commencing with Section 1340) of Division 2.

(b) Recording or disclosure of HIV test results pursuant to subdivision (a) does not authorize further disclosure unless otherwise permitted by law.

SEC. 15.

Section 121010 of the Health and Safety Code is amended to read:

121010.

Notwithstanding Section 120975 or 120980, the results of a blood test to detect antibodies to the probable causative agent of AIDS may be disclosed to any of the following persons without written authorization of the subject of the test:

(a) To the subject of the test or the subject’s legal representative, conservator, or to any person authorized to consent to the test pursuant to subdivision (b) of Section 120990.

(b) To a test subject’s provider of health care, as defined in Section 56.05 of the Civil Code, except that for purposes of this section, “provider of health care” does not include a health care service plan regulated pursuant to
Chapter 2.2 (commencing with Section 1340) of Division 2.

(c) To an agent or employee of the test subject’s provider of health care who provides direct patient care and treatment.

(d) To a provider of health care who procures, processes, distributes, or uses a human body part donated pursuant to the Uniform Anatomical Gift Act (Chapter 3.5 (commencing with Section 7150) of Part 1 of Division 7).

(e) (1) To the designated officer of an emergency response employee, and from that designated officer to an emergency response employee regarding possible exposure to HIV or AIDS, but only to the extent necessary to comply with provisions of the Ryan White Comprehensive AIDS Resources Emergency Act of 1990 (Public Law 101-381; 42 U.S.C. Sec. 201).

(2) For purposes of this subdivision, “designated officer” and “emergency response employee” have the same meaning as these terms are used in the Ryan White Comprehensive AIDS Resources Emergency Act of 1990 (Public Law 101-381; 42 U.S.C. Sec. 201).

(3) The designated officer shall be subject to the confidentiality requirements specified in Section 120980, and may be personally liable for unauthorized release of any identifying information about the HIV results. Further, the designated officer shall inform the exposed emergency response employee that the employee is also subject to the confidentiality requirements specified in Section 120980, and may be personally liable for unauthorized release of any identifying information about the HIV test results.

SEC. 16.

Section 130201 of the Health and Safety Code is amended to read:

130201.

For purposes of this division, the following definitions apply:

(a) “Director” means the Director of the Office of Health Information Integrity.

(b) “Medical information” means the term as defined in Section 56.05 of the Civil Code.

(c) “Office” means the Office of Health Information Integrity.

(d) “Provider of health care” means the term as defined in Sections 56.05 and 56.06 of the Civil Code.

(e) “Unauthorized access” means the inappropriate
review or viewing of patient medical information without a direct need for diagnosis, treatment, or other lawful use as permitted by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1 of the Civil Code) or by other statutes or regulations governing the lawful access, use, or disclosure of medical information.

SEC. 17.

Section 791.02 of the Insurance Code is amended to read:

791.02.

As used in this act:

(a) (1) “Adverse underwriting decision” means any of the following actions with respect to insurance transactions involving insurance coverage that is individually underwritten:

(A) A declination of insurance coverage.

(B) A termination of insurance coverage.

(C) Failure of an agent to apply for insurance coverage with a specific insurance institution that the agent represents and that is requested by an applicant.

(D) In the case of a property or casualty insurance coverage:

(i) Placement by an insurance institution or agent of a risk with a residual market mechanism, with an unauthorized insurer, or with an insurance institution that provides insurance to other than preferred or standard risks, if in fact the placement is at other than a preferred or standard rate. An adverse underwriting decision, in case of placement with an insurance institution that provides insurance to other than preferred or standard risks, shall not include placement if the applicant or insured did not specify or apply for placement as a preferred or standard risk or placement with a particular company insuring preferred or standard risks, or

(ii) The charging of a higher rate on the basis of information which differs from that which the applicant or policyholder furnished.

(E) In the case of a life, health, or disability insurance coverage, an offer to insure at higher than standard rates.

(2) Notwithstanding paragraph (1), any of the following actions shall not be considered adverse underwriting decisions but the insurance institution or agent responsible for their occurrence shall nevertheless provide the applicant or policyholder with the specific reason or reasons for their occurrence:

(A) The termination of an individual policy form on a class or statewide basis.

(B) A declination of insurance coverage solely because coverage is not available on a class or statewide basis.

(C) The rescission of a policy.

(b) “Affiliate” or “affiliated” means a person that directly, or indirectly through one or more intermediaries, controls, is controlled by or is under common control with another person.

(d) “Applicant” means any person who seeks to contract for insurance coverage other than a person seeking group insurance that is not individually underwritten.

(e) “Consumer report” means any written, oral, or other communication of information bearing on a natural person’s creditworthiness, credit standing, credit capacity, character, general reputation,
personal characteristics, or mode of living that is used or expected to be used in connection with an insurance transaction.

(f) “Consumer reporting agency” means any person who:

(1) Regularly engages, in whole or in part, in the practice of assembling or preparing consumer reports for a monetary fee.

(2) Obtains information primarily from sources other than insurance institutions.

(3) Furnishes consumer reports to other persons.

(g) “Control,” including the terms “controlled by” or “under common control with,” means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of voting
securities, by contract other than a commercial contract for goods or nonmanagement services, or otherwise, unless the power is the result of an official position with or corporate office held by the person.

(h) “Declination of insurance coverage” means a denial, in whole or in part, by an insurance institution or agent of requested insurance coverage.

(i) “Individual” means any natural person who is any of the following:

(1) In the case of property or casualty insurance, is a past, present, or proposed named insured or certificate holder.

(2) In the case of life or disability insurance, is a past, present, or proposed principal insured or certificate holder.

(3) Is a past, present, or
proposed policyowner.

(4) Is a past or present applicant.

(5) Is a past or present claimant.

(6) Derived, derives, or is proposed to derive insurance coverage under an insurance policy or certificate subject to this act.

(j) “Institutional source” means any person or governmental entity that provides information about an individual to an agent, insurance institution, or insurance-support organization, other than any of the following:

(1) An agent.

(2) The individual who is the subject of the information.

(3) A natural person acting in a personal capacity rather
than in a business or professional capacity.

(k) “Insurance institution” means any corporation, association, partnership, reciprocal exchange, interinsurer, Lloyd’s insurer, fraternal benefit society, or other person engaged in the business of insurance. “Insurance institution” shall not include agents, insurance-support organizations, or health care service plans regulated pursuant to the Knox-Keene Health Care Service Plan Act, Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code.

(l) “Insurance-support organization” means:

(1) Any person who regularly engages, in whole or in part, in the business of assembling or collecting information about natural persons for the primary purpose of providing the information to an insurance institution or agent for insurance transactions,
including either of the following:

(A) The furnishing of consumer reports or investigative consumer reports to an insurance institution or agent for use in connection with an insurance transaction.

(B) The collection of personal information from insurance institutions, agents, or other insurance-support organizations for the purpose of detecting or preventing fraud, material misrepresentation or material nondisclosure in connection with insurance underwriting or insurance claim activity.

(m) “Insurance
transaction” means any transaction involving insurance primarily for personal, family, or household needs rather than business or professional needs that entails either of the following:

(1) The determination of an individual’s eligibility for an insurance coverage, benefit, or payment.

(2) The servicing of an insurance application, policy, contract, or certificate.

(n) “Investigative consumer report” means a consumer report or portion thereof in which information about a natural person’s character, general reputation, personal characteristics, or mode of living is obtained through personal interviews with the person’s neighbors, friends, associates, acquaintances, or others who may have knowledge concerning those items of information.

(o) “Medical care
institution” means any facility or institution that is licensed to provide health care services to natural persons, including but not limited to, hospitals, skilled nursing facilities, home health agencies, medical clinics, rehabilitation agencies, and public health agencies.

(s) “Personal information” means any individually identifiable information gathered in connection with an insurance transaction from which judgments can be made about an individual’s character, habits, avocations, finances, occupation, general reputation, credit, health, or any other personal characteristics. “Personal information” includes an individual’s name and address and “medical record information” but does not include “privileged information.”

(t) “Policyholder” means any
person who is any of the following:

(1) In the case of individual property or casualty insurance, is a present named insured.

(2) In the case of individual life or disability insurance, is a present policyowner.

(3) In the case of group insurance, which is individually underwritten, is a present group certificate holder.

(u) “Pretext interview” means an interview whereby a person, in an attempt to obtain information about a natural person, performs one or more of the following acts:

(1) Pretends to be someone he or she is not.

(2) Pretends to represent a person he or she is not in fact representing.

(1) Relates to a claim for insurance benefits or a civil or criminal proceeding involving an individual.

(2) Is collected in connection with or in reasonable anticipation of a claim for insurance benefits or civil or criminal proceeding involving an individual. However, information otherwise meeting the requirements of this division shall nevertheless be considered “personal information” under this act if it is disclosed in violation of Section 791.13.

(x) “Termination of insurance coverage” or “termination of an insurance policy” means either a cancellation or nonrenewal of an insurance policy, in whole or in part, for any reason other than the failure to pay a premium as required by the policy.

(y) “Unauthorized insurer” means an insurance institution that has not been granted a certificate of authority by the director to transact the business of insurance in this state.

(z) “Commissioner” means the Insurance Commissioner.

(aa) “Confidential communications request” means a request by an insured covered under a health insurance policy that insurance communications containing medical information be communicated to him or her at a specific mail or email address or specific telephone number, as designated by the insured.

(ab) “Endanger” means that the insured covered under a health insurance policy fears that the disclosure of his or her medical information could subject the insured covered under a health insurance policy to harassment or abuse.

(ac) “Sensitive services” means all health care services described in Sections 6924, 6925, 6926, 6927, 6928, and 6929 of the Family Code, and Sections 121020 and 124260 of the Health and Safety Code, obtained by a patient of any age at or above the minimum age specified for consenting to the service
specified in the section.

(ad) “Medical information” means any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health insurer, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment. “Individually identifiable” means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual’s identity.

SEC. 18.

Section 791.29 is added to the Insurance Code, to read:

791.29.

(a) Notwithstanding any other law, and to the extent permitted by federal law, a health insurer shall take the following steps to protect the confidentiality of an insured’s medical information on and after January 1, 2015:

(1) A health insurer shall permit an insured to request, and shall accommodate requests for, communication in the form and format requested by the individual, if it is readily producible in the requested form and format, or at alternative locations, if the insured clearly states either that the communication discloses medical information or provider name and address relating to receipt of sensitive services or that disclosure of all or part of the medical information or provider name
and address could endanger him or her.

(2) A health insurer may require the insured to make a request for a confidential communication described in paragraph (1) in writing or by electronic transmission.

(3) A health insurer may require that a confidential communications request contain a statement that the request pertains to either medical information related to the receipt of sensitive services or that disclosure of all or part of the medical information could endanger the insured. The health insurer shall not require an explanation as to the basis for a insured’s statement that disclosure could endanger the insured.

(4) The confidential communication request shall be valid until the insured submits a revocation of the request, or a new confidential communication request is submitted.

(5) For the purposes of this section, a confidential communications request must be implemented by the health insurer within seven calendar days of the receipt of an electronic transmission or telephonic request or within 14 calendar days of receipt by first-class mail. The health insurer shall acknowledge receipt of the confidential communications request and advise the insured of the status of implementation of the request if an insured contacts the insurer.

(b) Notwithstanding subdivision (a), a provider of health care may make arrangements with the insured for the payment of benefit cost sharing and communicate that arrangement with the insurer.

(c) A health insurer shall not condition coverage on the waiver of rights provided in this section.

SEC. 19.

Section 3208.05 of the Labor Code is amended to read:

3208.05.

(a) “Injury” includes a reaction to or a side effect arising from health care provided by an employer to a health care worker, which health care is intended to prevent the development or manifestation of any bloodborne disease, illness, syndrome, or condition recognized as occupationally incurred by Cal-OSHA, the federal Centers for Disease Control and Prevention, or other appropriate governmental entities. This section shall apply only to preventive health care that the employer provided to a health care worker under the following circumstances: (1) prior to an exposure because of risk of occupational exposure to such a disease, illness, syndrome, or condition, or (2) where the preventive care is provided as a consequence of a documented
exposure to blood or bodily fluid containing blood that arose out of and in the course of employment. Such a disease, illness, syndrome, or condition includes, but is not limited to, hepatitis, and the human immunodeficiency virus. Such preventive health care, and any disability indemnity or other benefits required as a result of the preventive health care provided by the employer, shall be compensable under the workers’ compensation system. The employer may require the health care worker to document that the employer provided the preventive health care and that the reaction or side effects arising from the preventive health care resulted in lost work time, health care costs, or other costs normally compensable under workers’ compensation.

(b) The benefits of this section shall not be provided to a health care worker for a reaction to or side effect from health care intended to prevent the development of the human immunodeficiency virus if the
worker claims a work-related exposure and if the worker tests positive within 48 hours of that exposure to a test to determine the presence of the human immunodeficiency virus.

(c) For purposes of this section, “health care worker” includes any person who is an employee of a provider of health care as defined in Section 56.05 of the Civil Code, and who is exposed to human blood or other bodily fluids contaminated with blood in the course of employment, including, but not limited to, a registered nurse, a licensed vocational nurse, a certified nurse aide, clinical laboratory technologist, dental hygienist, physician, janitor, and housekeeping worker. “Health care worker” does not include an employee who provides employee health services for an employer primarily engaged in a business other than providing health care.

SEC. 20.

Section 3762 of the Labor Code is amended to read:

3762.

(a) Except as provided in subdivisions (b) and (c), the insurer shall discuss all elements of the claim file that affect the employer’s premium with the employer, and shall supply copies of the documents that affect the premium at the employer’s expense during reasonable business hours.

(b) The right provided by this section shall not extend to any document that the insurer is prohibited from disclosing to the employer under the attorney-client privilege, any other applicable privilege, or statutory prohibition upon disclosure, or under Section 1877.4 of the Insurance Code.

(c) An insurer, third-party administrator
retained by a self-insured employer pursuant to Section 3702.1 to administer the employer’s workers’ compensation claims, and those employees and agents specified by a self-insured employer to administer the employer’s workers’ compensation claims, are prohibited from disclosing or causing to be disclosed to an employer, any medical information, as defined in Section 56.05 of the Civil Code, about an employee who has filed a workers’ compensation claim, except as follows:

(1) Medical information limited to the diagnosis of the mental or physical condition for which workers’ compensation is claimed and the treatment provided for this condition.

(2) Medical information regarding the injury for which workers’ compensation is claimed that is necessary for the employer to have in order for the employer to modify the employee’s work duties.

SEC. 21.

Section 5406.6 of the Labor Code is amended to read:

5406.6.

(a) In the case of the death of a health care worker, a worker described in Section 3212, or a worker described in Section 830.5 of the Penal Code from an HIV-related disease, the period within which proceedings may be commenced for the collection of benefits provided by Article 4 (commencing with Section 4700) of Chapter 2 of Part 2 is one year from the date of death, providing that one or more of the following events has occurred:

(1) A report of the injury or exposure was made to the employer or to a governmental agency authorized to administer industrial injury claims, within one year of the date of the injury.

(2) The worker has complied with the notice provisions of this chapter and the claim has not been finally determined to be noncompensable.

(3) The employer provided, or was ordered to provide, workers’ compensation benefits for the injury prior to the date of death.

(b) For the purposes of this section, “health care worker” means an employee who has direct contact, in the course of his or her employment, with blood or other bodily fluids contaminated with blood, or with other bodily fluids identified by the Division of Occupational Safety and Health as capable of transmitting HIV, who is either (1) any person who is an employee of a provider of health care, as defined in Section 56.05 of the Civil Code, including, but not limited to, a registered nurse, licensed vocational nurse, certified nurse aide, clinical laboratory technologist, dental hygienist, physician,
janitor, or housekeeping worker, or (2) an employee who provides direct patient care.

SEC. 22.

No reimbursement is required by this act pursuant to Section 6 of Article XIII B of the California Constitution because the only costs that may be incurred by a local agency or school district will be incurred because this act creates a new crime or infraction, eliminates a crime or infraction, or changes the penalty for a crime or infraction, within the meaning of Section 17556 of the Government Code, or changes the definition of a crime within the meaning of Section 6 of Article XIII B of the California Constitution.